notifications-admin/app/templates/views/security.html

{% extends "content_template.html" %}
{% from "components/table.html" import mapping_table, row, text_field, edit_field, field with context %}

{% block per_page_title %}
  Security
{% endblock %}

{% block content_column_content %}

  <h1 class="font-body-2xl margin-bottom-3">Security</h1>
  <p>Notify.gov is built for the needs of government services. It has processes in place to:</p>
  <ul class="list list-bullet">
    <li>protect user data</li>
    <li>keep systems secure</li>
    <li>manage risks around information</li>
  </ul>

  <h2 id="infrastructure">Infrastructure</h2>

  <p>Notify.gov is comprised of two applications both running on <a href="https://www.cloud.gov">cloud.gov</a>:</p>
  <ul class="list">
    <li>Admin, a Flask website running on the python_buildpack which hosts agency user-facing UI</li>
    <li>API, a Flask application running on the python_buildpack hosting the Notify API</li>
  </ul>

  <p>Notify.gov utilizes several cloud.gov-provided services through Amazon Web Services (AWS):</p>
  <ul class="list">
    <li>AWS S3 buckets for temporary file storage</li>
    <li>AWS Elasticache (Redis) for caching data and enqueueing background tasks</li>
    <li>AWS RDS (PostgreSQL) for system data storage</li>
  </ul>

  <p>Notify.gov also provisions and uses two AWS services via a <a href="https://github.com/GSA/datagov-ssb">supplemental service broker</a>:</p>
  <ul class="list">
    <li><a href="https://aws.amazon.com/sns/">AWS SNS</a> for sending SMS messages</li>
    <li><a href="https://aws.amazon.com/ses/">AWS SES</a> for sending email messages (note: email function is currently unavailable to users for pilot)</li>
  </ul>

  <h2 id="current-security-review">Current security review</h2>
  <p>Currently, Notify.gov operates under a GSA <a href="https://www.gsa.gov/system/files/Lightweight-Security-Authorization-Process-%28LATO%29%20%5BCIO-IT-Security-14-68-Rev-7%5D%2009-17-2021docx%20%281%29.pdf">Lightweight Authority to Operate (LATO)</a>. This federal security authorization
  process leverages security controls provided by National Institute of Standards and Technology (NIST). The process is
  focused on operational security from both a functional and assurance perspective.</p>
  <p>We are pursuing a full Authority to Operate (ATO)</p>

  <h2 id="data">Data</h2>
  <p>To send a message, agencies upload a spreadsheet of phone numbers and other necessary data from their existing data
  management system. On Notify.gov, data is encrypted when it passes through the service and when it’s stored on the
  service.</p>
  <p>Notify.gov is not a system of record and as a result does not have a SORN. Agencies are responsible for managing their
  data outside of Notify.gov.</p>
  <ul class="list">
    <li>Notify stores data within the cloud.gov-managed PostgreSQL database and <a href="https://cloud.gov/docs/services/s3/#encryption">S3 buckets</a>. The entire database is <a href="https://cloud.gov/docs/services/relational-database/#encryption">encrypted at
    the disk level</a>.</li>
    <li>Additionally, data is encrypted at the field level when it is stored in the database, using OpenSSL 3.0.8 via the Python
    cryptography library. The implementation is available <a href="https://github.com/GSA/notifications-utils/blob/main/notifications_utils/clients/encryption/encryption_client.py">on GitHub</a>.</li>
  </ul>

  <h2 id="data-retention">Data retention</h2>
  <p>Any recipient data uploaded is only held for seven days; all personally identifiable information (PII) is deleted for
  successful messages, so data is retained only for unsuccessful messages.
  </p>

  <h2 id="technical-security">Technical security</h2>

  <h3 class="font-body-lg">Protect sensitive information</h3>
  <p>Some messages include sensitive information like security codes or password reset links.</p>
  <p>If you’re sending a message with sensitive information, you can choose to hide those details on the Notify dashboard once the message has been sent. This means that only the message recipient will be able to see that information.</p>

  <h2 class="font-body-lg" id="user-permissions-signing-in">User permissions and signing in</h2>
  <p>You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of the service.</p>
  <h3 class="font-body-lg">Two-factor authentication</h3>
  <p>To sign in to Notify, you’ll need to enter:</p>
  <ul class="list list-bullet">
    <li>your email address and password</li>
    <li>a text message code that Notify sends to your phone</li>
  </ul>
  <p>If signing in with a text message is a problem for your team, <a class="usa-link" href="{{ url_for('main.support') }}">contact us</a> to find out about using an email link instead.</p>

  <img src="{{ asset_url('images/product/security-review-message.png') }}"
    alt="Screenshot of a teat message in review with the link to 'hide personalization after sending' circled.">

  <h4>How to hide PII after sending a message</h4>

  <h3>User permissions and signing in</h3>
  <p>You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of
  the service.</p>

  <h3>Multi-factor authentication (MFA)</h3>
  <p>Notify.gov uses <a href="https://login.gov/">Login.gov</a> to authenticate users.</p>
  <ul class="list">
    <li>Your email address and password</li>
    <li>A code from an authenticator app or sent by Login.gov in the form of a text message</li>
  </ul>
  <p>If signing in with a text message is a problem for your team, <a href="https://beta.notify.gov/support">contact us</a> to find out about using an email link instead.</p>

  <!-- <h2 class="font-body-lg" id="information-risk-management">Information risk management</h2>
  <p>Our approach to information risk management follows NCSC guidance. It assesses:</p>
  <ul class="list list-bullet">
    <li>how Notify is built</li>
    <li>the infrastructure Notify is built upon</li>
    <li>support for the Notify service</li>
  </ul>
  <p>This approach also applies to the service providers Notify uses to send messages.</p> -->

  <!-- <h2 class="font-body-lg" id="how-we-manage-risk">How we manage risks on Notify</h2>
  <p>Things we do to manage risks on Notify include:</p>
  <ul class="list list-bullet">
    <li>formal risk assessments based on <a class="usa-link" href="http://www.iso.org/iso/catalogue_detail?csnumber=56742">ISO 27005:2011</a> and National Cyber Security Centre guidance</li>
    <li><a class="usa-link" href="https://www.ncsc.gov.uk/information/check-penetration-testing">CHECK</a>-based testing, both annually and when any major changes are made to Notify</li>
    <li>residual risk statement preparation and active management of the risk treatment plan</li>
    <li>regular updates to the Privacy Impact Assessment</li>
    <li>security impact assessments</li>
  </ul> -->

  <!-- <h2 class="font-body-lg" id="cabinet-office-approval">Cabinet Office approval</h2>
  <p>Notify has been assessed and approved by the Cabinet Office Senior Information Risk Officer (SIRO). The SIRO checks this approval once a year.</p>
  <p>Notify also has approval from the Office of the Government’s SIRO to host data within the EEA.</p>

  <h2 class="font-body-lg" id="classifications-and-security-vetting">Classifications and security vetting</h2>
  <p>You can use Notify to send messages classified as ‘OFFICIAL’ or ‘OFFICIAL-SENSITIVE’ under the <a class="usa-link" href="https://www.gov.uk/government/publications/government-security-classifications">Government Security Classifications</a> policy.</p>
  <p>Notify does not process data classified as ‘SECRET’ or ‘TOP SECRET’.</p>
  <p>The Notify team has Security Check (SC) level clearance from <a class="usa-link" href="https://www.gov.uk/government/organizations/united-kingdom-security-vetting">United Kingdom Security Vetting</a> (UKSV).</p> -->

{% endblock %}